Defence in Depth is all about protecting the information by building up a number of layers around it. It isn’t simply putting up and firewall and walking away. Defence in Depth is building a number of layers around the information that work together to provide a strong and (hopefully) impenetrable.
An example could be anti-virus software installed on individual workstations when there is already virus protection on the firewalls and servers within the same environment. Different security products from multiple vendors may be on different vectors within the network, helping prevent a shortfall in any one defence leading to a wider failure.
By layering security defences you are actually reducing the chance of a successful attack since incorporating redundant security mechanisms requires an attacker to continuously get round each mechanism to gain access to an asset.
The idea behind defence in depth is to manage risk with diverse defensive strategies, so that if one layer of defence turns out to be insufficient, another layer of defence will hopefully prevent a full breach. This principle is well known, even beyond the security community; for example, it is a famous principle for programming language design, especially in error capturing.
Defence in depth principle may seem somewhat contradictory to the “secure the weakest link” (i.e. vulnerability and exploit management) principle, since we are essentially saying that defences taken as a whole can be stronger than the weakest link. However, there is no contradiction; the principle “secure the weakest link” applies when components have security functionality that does not overlap. When it comes to redundant security measures, it is indeed possible that the sum protection offered is far greater than the protection offered by any single component.
While researching for this post, I found a real life situation where defence in depth is applied. This information was retrieved from Viega and McGraw Chapter 5, “Guiding Principles for Software Security,” in “Principle 2: Practice Defense in Depth” from pages 96-97
Here’s another example, one that’s a little more modern. Take a look at a bank. When was the last time you entered a bank to see a bank teller sitting on the floor in a huge room next to a massive pile of money? Never! To get to the big money in a bank requires that you get to the bank vault, which requires that you go through multiple layers of defence. Here are some examples of the defensive layers:
- There is often a guard at the bank’s entrance.
- Some banks have time-release doors. As you enter the bank, you walk into a bulletproof glass capsule. The door you entered closes, and after a few seconds the glass door to the bank opens. This means you cannot rush in and rush out. In fact, a teller can lock the doors remotely, trapping a thief as he attempts to exit.
- There are guards inside the bank.
- Numerous closed-circuit cameras monitor the movements of every one in every corner of the bank.
- Tellers do not have access to the vault. (This is an example of least privilege, which is covered next.)
- The vault itself has multiple layers of defence, such as:
- It opens only at certain controlled times.
- It’s made of very thick metal.
- Multiple compartments in the vault require other access means.
It’s important not to rely on single solutions. Use multiple complementary security products, so that a failure in one does not mean total insecurity. This might mean a firewall, an intrusion detection system and strong authentication on important servers.
October 6, 2007 at 3:37 pm
Good article G!